Why submit a website to plaintext offenders?
To quote their FAQ:
Aren’t you worried hackers will use your site to find targets?
Yes, but less worried than having this information remain secret and relying on Security Through Obscurity.
To be more verbose: There are two possible outcomes from submitting a site there:
They fix it - This is more likely to happen when they get publicly shamed. The attack probability increases, too.
Also, hiding security problems away (leaving it secure only as long as it is kept secret) rather than fixing them is generally considered a security antipattern, as the NIST "Guide to General Server Security" states:
"System security should not depend on the secrecy of the implementation or its components."
They do not fix it - Then it is at least documented publicly and externally.
To be more specific, thanks to Chris Cirefice who pointed out it the comments more explicitly what I had in mind:
"documented publicly and externally" - with timestamps. So if a student loan company is hacked and the students' bank details are released due to lack of compliance with (U.S.) government policies, e.g. the Gramm-Leach-Bliley Act 1 2, the students could sue the company, and the timestamps of public release of failure to comply would be great evidence in court for recompense.
The question seems to make the assumption that plaintext offenders is the only site which maintains such a list, rather than just being the one with the highest white-hat public profile.
There are, however, plenty of other, less salubrious sites, which maintain such lists; any domain listed on Plaintext Offenders is likely to have been on these other sites for some time.
So you are most likely not telling the bad guys anything they don't know, but you may be telling the site owners something they don't know, and shining a light of publicity to encourage them to act upon it.
One thing that's important to understand is that there a practical difference between "password exposure" and "more risk."
You can say with certainty that submitting a site to plaintext offenders results in additional password exposure. This fact is not in question.
Whether it results in additional risk, however, is more nuanced. If the site does nothing about it, and you, and other users continue to use the site as if the flaw was not known, then the additional password exposure does indeed result in additional risk. If, however it leads to changes in behavior, e.g., some users decide not to re-use passwords they would have otherwise re-used on this site, (more likely) or the negative publicity leads the site to improve the security of the system, (less likely, but possible and a huge reduction in risk if achieved) then the equation changes to somewhere between not so clear, to a definition and significant reduction in risk.
So it isn't as cut-and-dry as one option is right, and the other is wrong. Risk, by its very nature includes a component of the unknown, which is the likelihood of eventual exploitation, so ultimately it comes down to a judgement call.